PENETRATION TEST

The number of ulterior motives people attacking systems, their knowledge & skill, time & motivation have always been more than the security expert’s time, knowledge and skills. In order to avoid hackers, it is necessary for systems to be tested by people who think like them. In the field of Information technology, we can separate security in to two basis. One of them is defensive security and the other is offensive security -in other words proactive security. Pentest work is a result of offensive security.

Pentest is the process of approaching target systems with an aggressive point of view by experimenting all possible technical methods to penetrate and seize systems.

Pentest and Vulnerability Assessment are similar to each other but different concepts. A vulnerability scan is the process of finding and reporting known security vulnerabilities in target systems using various security software. In Pentest studies, the aim is beyond finding vulnerabilities but more to evaluate their weaknesses to obtain authorized access to the systems and to identify additional actions that can be performed on the target systems (infiltration, access to information, etc.).

PENTEST METHODOLOGY

Scope

Information Gathering (Reconnaissance, Discovery)

Discovery and Scanning (Enumeration)

Vulnerability Scanning and Analysis

Exploitation

Privilege Escalation, Lateral Movement (Post Exploitation)

Information, Document Collection (Post Exploitation)

Clearing Tracks

Reporting

Scope: The type and number of systems to be determined to test after the meetings with the client. Assets that occur during the test but are not defined within the scope of the test may be included or excluded from testing after the interview with the customer. A Non-Disclosure Agreement (NDA) is signed prior to the performed commencement of transactions, which provides coverage and ensures that the tests resulting information are protected.

Information Gathering (Reconnaissance, Discovery): The stage of collecting information about the target network and systems. Personal information, domain addresses, IP address ranges, device lists, etc., can be obtained from the public sources - OSINT (Open Source Intelligence) via Internet. Live systems can be discovered with the obtained information and the IP ranges to be used in internal network testing.

Discovery and Scanning (Enumeration): The open ports obtained on the active systems can be determined. The names of the available services on the open ports and operating system versions can be discovered.

Vulnerability Scanning & Analysis: Known vulnerabilities in existing services and operating systems in discovered systems are scanned by vulnerability scanning tools. In addition, vulnerability analysis is performed manually on the services. Analysis of the misconfigurations and default users are made by weak password attempts on the systems.

Exploitation: Exploitation of vulnerabilities for the identified operating system and service versions. The exploit codes that are customized on the systems or services that can be exploited within the information obtained in the steps of discovery and vulnerability scanning. These codes are tried to penetrate into the systems. On password-protected applications that have the ability to execute commands on the system, the information obtained in the previous steps are used to execute commands on systems with a chained attack and exploit.

Privilege Escalation, Lateral Movement(Post Exploitation): In systems where access is obtained, privilege escalation processes and system side constraints are tried to be avoided. It is tried to get root authorities for *nix systems and NT AUTHORITY \ SYSTEM for Windows systems. Using access systems as a pivot point, it seeks to seize all systems by spreading to other network(s) that are not accessed directly.

Information, Document Collection (Post Exploitation): Access granted applications running in the systems where access information is obtained. Having access to the high authority at the previous step, encrypted or plain-text password information is obtained. Significant files contained in the systems are delivered to the customer in the form of an encrypted copy of the documents as an evidence at the end of the test.

Clearing Tracks: The malware used during the penetration test and the exploitation phase is cleared through the backdoored systems.

Reporting: It is the step of submitting the obtained information and documents into a proper form by converting it for the customer. The executive summary and detailed vulnerability explanation fields are included in this report.